Vulnerability disclosures

Service NSW welcomes vulnerability reports that help us to provide safe and secure services to our customers. 

Our approach to vulnerability disclosure

Service NSW deeply values the positive impact security researchers have on our ability to provide safe and secure services to our customers.

We employ a bug bounty program through our partnership with Bugcrowd, and we gratefully accept any vulnerability disclosure reports. 

Our commitment to researchers

  • Trust. We maintain complete confidentiality in our professional exchanges with researchers. 
  • Respect. We treat all researchers with respect and recognise your positive contribution to helping keep our customers safe. 
  • Transparency. We will openly work with researchers to validate and remediate reported vulnerabilities in accordance with our commitments to security and privacy. 
  • Common good. We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability. 

Our ask of researchers

  • Trust. We ask that researchers communicate potential vulnerabilities with us in a responsible manner, providing us sufficient time and information to validate and address any potential issues. 
  • Respect. We request that researchers make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing. 
  • Transparency. We request that researchers provide the technical details and background necessary for our team to identify and validate the reported issues. 
  • Common good. We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing unverified vulnerabilities until our team has had time to validate and address the reported issues. 

How to report a vulnerability

We encourage you to submit details of suspected vulnerabilities across any asset owned, controlled, operated or maintained by Service NSW, including public-facing websites under the service.nsw.gov.au domain or the Service NSW mobile application. 

Submit a report

Recognition

Service NSW would like to thank the following contributors who have helped us improve the quality of our services, and safety of our customers.

Via Bug Bounty:  

  • Steve_Smith  
  • Harie_Cool  
  • Bathini Vijaysimha Reddy  
  • Richard Nelson  
  • Evilajay  
  • Nickw444  
  • Yaakov  
  • m0ppi  
  • nomanAli181  
  • chyawanprash  
  • shubhack319  
  • Jamieson O'Reilly (Dvuln)
  • Noah Farmer (Dvuln)
  • mohamadshokor

Related information

Last updated: 3 May 2022